OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of horyzon »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - horyzon

Pages: [1]
1
22.7 Legacy Series / Re: WireGuard Road Warrior: peers don't see each other
« on: October 11, 2022, 02:58:52 am »
guys thanks for your answers, you made me think a lot about what I was doing wrong
at the end I understood why it didn't work, it was trivial afterall, but someone could stumble on it, especially if coming from wireguard setup on different routers or a dedicated vm:

before opnsense, I usually set allowed ip of 'wg_server/32' on all peers, and it always worked because I always masqueraded all the traffic with dedicated iptables rule, while openwrt does it automagically with an option

with opnsense, even if I created a dedicated interface for wg, I would in any case need to masquerade all the traffic with a dedicated outbound rule, setting source/destination on 'wireguard net' and translation in the 'wg address'

the simpler alternative is just allowing the entire /24 network on all wg peers, so the traffic can pass through them even if the gateway is not using masquerade on the wg interface

for the same reason, you would anyway need an outbound rule to masquerade the source ip if accessing a wg peer from another network (es. lan) without have to modify the allowed ips of all your peers

2
22.7 Legacy Series / WireGuard Road Warrior: peers don't see each other
« on: October 09, 2022, 09:16:45 pm »
Hello everyone,
I am new to OPNSense, coming from dd-wrt and openwrt experiences in various flavours
I tried to configure a Wireguard road warrior service, where the wg gateway is opnsense itself
I followed the offical guide here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
with the standard procedure, but I tried even creating a dedicated interface, the issue is the same:
the peers don't see each other nor see their open ports

note that:
- every peer can connect to the opnsense wg gateway correctly
- wg gateway can ping the peers and the peers can ping the gateway
- a dedicated firewall rule in the wg interface (or in wireguard group) allows in/out transition from and to the /24 subnet of wg set by an alias
- when a peer tries to access a port on another peer, the firewall logs succesfully the passing packets, but still the peers can't establish a connection
- the routes for every peer are correctly appearing on System->Routes

opnsense packet capture shows a peer transmitting and retransmitting the same packet and having no response, this happens for every peer trying to communicate with a peer
the dst peer shows no trace of the packet sent

I really can't figure out what is the problem, can you help me?

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2